Invasion of the Chips!

• How are these chips being used?
• What are the challenges for data protection and privacy?
• Reconciling RFID and privacy

Contactless chips have been invading our daily life little by little. They rely on various technologies, such as RFID (Radio Frequency Identification) or NFC (Near Field Communications).

They can already be found in urban transit passes (e.g. Navigo subway pass or Velib bicycle rental cards), in electronic passports, building access badges (e.g. Vigik), electronic purses, car keys, in logistics applications for luggage handling systems at airports or inventory control in retail stores.

The radio-identification technology (RFID) has concurrently become a major economic stake, particularly for applications in the retail and transportation industries.

Yet, the future promises to add ever more diversified applications. Chips will most likely be used to instantly detect the contents of our supermarket shopping cart. They will have the ability to analyse the items we purchase; luxury goods will be tagged to prevent counterfeiting; payments will be contactless once NFC readers are imbedded into our mobile phones; medicines and blood pouches will also be tagged to enhance their traceability.

Experiments are currently under way to fit newborn infants in maternity wards with RFID bracelets to prevent kidnapping. What about chips implanted under the skin? It's already being done in Spain, where RFID tags are injected under the skin as a means of payment in some  nightclubs, a purpose totally disproportionate with real needs!

These technologies raise new challenges for personal data protection and privacy, first and foremost the issue of their invisibility or quasi-invisibility. How can compliance with the law be guaranteed in the presence of invisible technologies?

Furthermore, anyone equipped with the appropriate reader can access the contents of the RFID tag. And a chip can contain personal data (or data that can become personal via interconnections with a database) that enable a remote identification of its bearer. If all the objects of our daily life (transport cards, clothes, telephone, car, bracelet, etc.) are tagged in this manner, it will then become possible to track individuals in every single act of their daily life…

It is true that today RFID devices still do not allow for continuous monitoring of individuals. For instance, the use of a Navigo pass only provides information on which subway station the passenger entered and possibly exited the Paris subway. It is still not possible to find out the passenger's detailed ride, particularly since CNIL has restricted the data retention time to 2 days, and only for fraud detection purposes.

But what about tomorrow? Theoretically, a more precise surveillance of individuals would be possible, though this would require considerable resources, with a dense mesh of readers capable of receiving the data contained in the tags from a distance of several metres away.

In urban transports, it is essential to ensure that systems enabling passengers to travel anonymously continue to exist.

In the retail industry, tags fitted onto the products sold in supermarkets should have a way to be automatically neutralised at the cash register (by deactivation or physical removal). Technical devices ensuring RFID tag neutralising should therefore be imbedded at the manufacturing stage, whenever the chip has no intended application beyond the point of sale. Solutions already exist, but research needs to progress further in order to find practical ways to implement them. In this perspective, CNIL has been cooperating with the Retail Industry Cluster of the Nord region in France, in an effort to guide the development of RFID technologies.

Furthermore, it is essential to provide consumers with clear and detailed information on the use of such tag, on the related data processing involved and on the possibility for them to read the chip contents and check whether or not it is active.

Lastly, security standards must be promoted to guarantee that any personal data possibly contained in the tags cannot be read remotely by unauthorised third parties without the person's knowledge.

In view of their massive dissemination, of the individual nature of identifiers for each tagged object, of their invisible character and of the risks of individual profiling, CNIL has been monitoring the development of these new technologies with extreme vigilance. The Commission has regular contacts with the industry players, both on a national and a European scale, and is currently involved in the drafting of an EU recommendation on the subject that should be adopted in the first half of 2008. The recommendation is intended as a reminder that such technological developments should necessarily be matched by compliance with key principles of data protection, i.e. principles of legitimacy of purpose, proportionality, transparency and security.

Should the use of such technologies be more precisely framed and regulated by law? Whenever RFID devices enable any direct or indirect identification of a physical person, then they fall under the remit of the French Data Protection Act. From this standpoint, it does not appear necessary to adopt any other specific legislation, but it might prove necessary to adapt the French Data Protection Act in order to account specifically for this particular technology. The working party created within CNIL to this purpose, will be in charge of reviewing the enforceability of the data protection act, of recommending a revision of the law as felt appropriate, and assessing whether an addendum on this topic might be necessary (see Chapter 4).